Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A vehicle communication manager device located onboard a vehicle, the device comprising: a memory comprising a non-volatile memory device storing a fixed embedded public key, wherein the embedded public key is a public key of a public-private key pair associated with a data service system not onboard the vehicle; a processor in communication with a wireless datalink transceiver; a vehicle data service protocol executed by the processor, wherein the vehicle data service protocol initiates a communication session for data service exchanges with the data service system via the wireless datalink transceiver; wherein the vehicle data service protocol includes a session validation sequence that causes the processor to: transmit a session request message to the data service system; and validate an authenticity of a session reply request message received from the data service system using the embedded public key, wherein the session reply message includes a public operational authentication key, a public operational encryption key, and is signed with a subscriber validation private key associated with the embedded public key; wherein the vehicle data service protocol includes a session initiation sequence that causes the processor to: transmit an initiation request message to the data service system, the session request message including a key derivation key generated onboard the vehicle, wherein the key derivation key in the initiation request message is encrypted using the public operational encryption key; validate an authenticity of an initiation response message received from the data service system using the public operational authentication key; and in response to affirmatively validating the initiation response message, apply the key derivation key to a key derivation function to generate a message authentication key; wherein the processor authenticates data service uplink messages received from received from the host data service during the communication session using the message authentication key.
This invention relates to secure communication between a vehicle and an offboard data service system. The problem addressed is ensuring authenticated and encrypted data exchanges between the vehicle and the system, preventing unauthorized access or tampering. The vehicle includes a communication manager device with a processor, wireless transceiver, and memory storing a fixed embedded public key. This key is part of a public-private key pair associated with the data service system. The device executes a vehicle data service protocol to establish and manage secure communication sessions. During session validation, the device transmits a request to the data service system and verifies the authenticity of the system's reply using the embedded public key. The reply includes operational authentication and encryption keys, signed with a subscriber validation private key linked to the embedded public key. For session initiation, the device sends an initiation request containing a key derivation key generated onboard, encrypted with the operational encryption key. The system's response is validated using the operational authentication key. If validated, the key derivation key is processed through a key derivation function to generate a message authentication key. This key authenticates uplink messages from the data service system during the communication session, ensuring secure data exchange.
2. The device of claim 1 , wherein the processor protects data service downlink messages sent to a host data service of the data service system during the communication session using the message authentication key.
A device for secure communication in a data service system addresses the problem of unauthorized access or tampering with data service downlink messages during communication sessions. The device includes a processor that generates a message authentication key for a communication session between a host data service and a client device. The processor uses this key to protect downlink messages sent from the host data service to the client device, ensuring message integrity and authenticity. The protection mechanism may involve encrypting the messages or appending authentication codes to verify their validity upon receipt. This ensures that only authorized parties can access or modify the messages, preventing interception or alteration by malicious actors. The device operates within a data service system where secure communication is critical, such as in financial transactions, healthcare data exchange, or enterprise applications. By implementing this key-based protection, the device enhances the overall security of the communication session, mitigating risks associated with data breaches or unauthorized access. The processor dynamically manages the message authentication key, ensuring it remains valid only for the duration of the session, further reducing exposure to security threats. This solution is particularly useful in environments where data confidentiality and integrity are paramount.
3. The device of claim 1 , wherein the session request message includes a protocol identifier (ID) that identifies the embedded public key stored in the memory.
A device for secure communication includes a memory storing an embedded public key and a processor configured to receive a session request message. The session request message includes a protocol identifier (ID) that specifies which embedded public key in the memory should be used for establishing a secure session. The processor retrieves the identified public key from memory and uses it to authenticate the session request, ensuring secure communication. The device may also include a network interface for transmitting and receiving data over a network, and the processor may further encrypt or decrypt data using the embedded public key. The embedded public key is pre-stored in the memory, allowing the device to quickly access it without requiring external key retrieval. This approach enhances security by reducing exposure of the public key during communication setup, minimizing potential interception or tampering. The device is particularly useful in environments where secure, authenticated sessions are required, such as in IoT devices, encrypted messaging systems, or secure network protocols. The protocol identifier ensures flexibility, allowing the device to support multiple public keys for different protocols or use cases.
4. The device of claim 1 , wherein the session reply message further includes an indication of one or more optional services available to the vehicle communication manager.
This invention relates to vehicle communication systems, specifically improving the exchange of information between a vehicle and a remote server during a communication session. The problem addressed is the lack of flexibility in how optional services are offered to vehicles, leading to inefficiencies in service delivery and resource utilization. The invention describes a device that facilitates communication between a vehicle and a remote server. The device processes a session request message from a vehicle communication manager and generates a session reply message in response. The session reply message includes an indication of one or more optional services available to the vehicle communication manager. These optional services may include additional data, features, or functionalities that the vehicle can request or utilize during the communication session. By providing this indication, the vehicle can make informed decisions about which services to access, optimizing the use of network resources and improving the overall efficiency of the communication process. The device may also handle authentication, session establishment, and data exchange between the vehicle and the server, ensuring secure and reliable communication. The inclusion of optional services in the session reply message enhances the adaptability of the system, allowing for dynamic service offerings based on vehicle needs or network conditions.
5. The device of claim 1 , wherein the data service system generates a replica of the message authentication key and the data service uplink messages are protected using the replica of the message authentication key.
This invention relates to secure communication systems, specifically a device that enhances message authentication in data service systems. The problem addressed is ensuring secure and authenticated communication between a data service system and a device, particularly in scenarios where message integrity and confidentiality are critical. The device includes a data service system that generates a replica of a message authentication key. This replica is used to protect data service uplink messages, ensuring that these messages are authenticated and secure during transmission. The data service system also manages the distribution and synchronization of this key, allowing the device to verify the authenticity of received messages and encrypt outgoing messages using the same key. This mechanism prevents unauthorized access or tampering with the communication, maintaining the integrity and confidentiality of the transmitted data. The system may also include a device that receives and processes the data service uplink messages, verifying their authenticity using the message authentication key. The device may further include a key management module to handle key updates or synchronization, ensuring that the authentication process remains robust over time. The overall solution provides a secure framework for data exchange, particularly in environments where communication security is paramount, such as in IoT, industrial control systems, or other mission-critical applications.
6. The device of claim 1 , wherein the data service system comprises a subscription validation service and the host data service, wherein the vehicle communication manager communicates with the subscription validation service during the session validation sequence, and wherein the vehicle communication manager communicates with the host data service during the session initiation sequence.
This invention relates to a vehicle communication system that manages data services, particularly focusing on subscription validation and session management. The system addresses the challenge of securely and efficiently authenticating vehicle data service subscriptions while ensuring seamless access to host data services. The device includes a vehicle communication manager that interacts with a data service system. The data service system comprises two key components: a subscription validation service and a host data service. During operation, the vehicle communication manager engages in a session validation sequence with the subscription validation service to verify the vehicle's subscription status. Once validated, the vehicle communication manager proceeds with a session initiation sequence to establish communication with the host data service, enabling access to the desired data services. The system ensures that subscription validation occurs before session initiation, preventing unauthorized access while maintaining efficient service delivery. This separation of validation and service access improves security and reliability in vehicle data service management. The invention is particularly useful in connected vehicle applications where secure and authenticated data access is critical.
7. The device of claim 6 , wherein the session validation sequence is accessible through a first network address and the host data service is accessible through a second network address, wherein the second network address is communicated to the vehicle communication manager by the session reply message.
This invention relates to a vehicle communication system that enhances security and data management by separating session validation and host data services into distinct network addresses. The system includes a vehicle communication manager that initiates a session request to a session validation sequence, which authenticates the vehicle and establishes a secure communication channel. Upon successful validation, the session validation sequence provides a second network address to the vehicle communication manager, directing it to a host data service for subsequent data exchanges. This separation ensures that session validation and data transmission occur through different network endpoints, reducing the risk of unauthorized access or data interception. The host data service processes and manages data requests from the vehicle, such as software updates, diagnostics, or telemetry, while the session validation sequence handles authentication and session management. This architecture improves security by isolating sensitive authentication processes from routine data transactions, minimizing exposure to potential attacks. The system is particularly useful in connected vehicles where secure and efficient data exchange is critical.
8. The device of claim 7 , wherein the wireless datalink transceiver is configured to communicatively couple the processor to a network, wherein the subscription validation service and the host data service are communicatively coupled to the network.
This invention relates to a wireless communication device designed to securely access subscription-based services. The device includes a processor, a wireless datalink transceiver, and a memory storing executable instructions. The processor is configured to execute these instructions to perform several functions. First, it authenticates a user by validating credentials against a subscription validation service. Once authenticated, the processor retrieves data from a host data service, ensuring the data is encrypted during transmission. The wireless datalink transceiver enables communication between the processor and a network, allowing interaction with both the subscription validation service and the host data service. The device ensures secure access to subscription-based content by verifying user credentials and encrypting data exchanges, addressing security and privacy concerns in wireless service access. The transceiver's network connectivity facilitates seamless interaction with remote services, enhancing usability while maintaining data integrity. This solution is particularly useful in environments where secure, authenticated access to subscription-based data is required, such as in mobile or IoT applications.
9. The device of claim 1 , wherein the vehicle is an aircraft comprising either a communication management unit or a communication management function that executes the vehicle data service protocol.
Aircraft communication systems often require efficient data exchange between onboard systems and external networks. Traditional systems may lack standardized protocols or integration with existing aircraft communication infrastructure, leading to inefficiencies in data transmission and management. This invention addresses these issues by providing an aircraft equipped with a communication management unit (CMU) or a communication management function (CMF) that executes a vehicle data service protocol. The CMU or CMF acts as an intermediary, facilitating standardized data exchange between onboard systems and external networks. The protocol ensures compatibility with various aircraft systems, enabling seamless integration and efficient data transmission. The aircraft may also include a data service client that interfaces with the CMU or CMF to request and receive data, further enhancing communication capabilities. This system improves data management, reduces complexity, and ensures reliable communication within the aircraft's network infrastructure. The invention is particularly useful for modern aircraft requiring robust, standardized data exchange solutions.
Unknown
July 14, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.